Kubernetes with OpenShift World Tour: Get hands-on experience and build applications fast! Find a workshop!

Use a custom container registry to install a data and AI platform on-premises

This tutorial is an extension to our previous one “Use OpenShift templates to install a data and AI platform”, focusing on an option for installing on-premises. It follows the Official Cloud Pak for Data Install Guide to install Cloud Pak for Data V2.1.0.1 and some of its add-ons. And, while portions of this write up overlap with the official installation document, we wanted to add more flavor, context, and insights into our experience–and document some of the potholes we hit along the way.

After completing this tutorial, you’ll understand how to install IBM Cloud Pak for Data on Red Hat® OpenShift® on IBM Cloud™, using a custom container registry. Then you can access IBM AI and data tools on-premises.

Prerequisites

A license to install from IBM Passport Advantage:

To install IBM Cloud Pak for Data, you’ll need a license to access binaries on IBM Passport Advantage. If you don’t have a license use Cloud Pak for Data Experience instead, which grants a user access to a Cloud Pak for Data cluster for one week, and follow one of our code patterns.

An OpenShift cluster:

We want to run IBM Cloud Pak for Data on OpenShift, so we need an OpenShift cluster. We decided to provision a Red Hat OpenShift on IBM Cloud cluster from IBM Cloud. It only takes a few minutes before you can log into the console. According the official documentation The minimum requirements for the cluster is at least 3 workers, 16 VCPUs, and 64 GB RAM. We opted for a beefier set up and used 128 GB RAM, keeping the workers and VCPUs the same.

OpenShift Cluster Options OpenShift Cluster Overview
openshift-cluster-options openshift-cluster-overview

A Linux box

The IBM Cloud Pak for Data install binaries need to be run on a Linux box (we tried on a Mac and ran into issues so we don’t recommend that). We provisioned a VM on IBM Cloud with RHEL 7 and the following specs: 4 CPUs, 16 GB RAM, 100 GB of boot disk, and added another 500 GB of storage (mounted on /ibm). We also used the Minimal configuration, not the LAMP stack.

Here are our machine details

[root@aida-vm-raft ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        3.9G     0  3.9G   0% /dev
tmpfs           3.9G     0  3.9G   0% /dev/shm
tmpfs           3.9G  8.6M  3.9G   1% /run
tmpfs           3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/xvda2       98G  3.3G   90G   4% /
/dev/xvda1      976M  165M  760M  18% /boot
tmpfs           782M     0  782M   0% /run/user/0
/dev/xvdc1      493G   97G  371G  21% /ibm

[root@aida-vm-raft ~]# uname -a
Linux aida-vm-raft.IBM.cloud 3.10.0-1062.el7.x86_64 #1 SMP Thu Jul 18 20:25:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[root@aida-vm-raft ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.7 (Maipo)

If you’re like me, and haven’t had to partition and mount a drive in a while, here’s what we did to mount our secondary drive (/dev/xvdc1), while using this guide as a reference.

# use parted to format /dev/xvdc1
# mkfs.ext3
# mount /dev/xvdc1 /ibm
# edit /etc/fstab

Tools to install on a Linux box

The following tools are used by the Cloud Pak for Data installer and need to be installed on the same host you are running the install scripts from.

The OpenShift command-line interface (CLI)

The OpenShift CLI (oc) at v3.11, which can be downloaded from the OKD page. Choose to download the oc Client Tools and follow the install instructions. We’ll be using this to communicate with our OpenShift cluster.

Alternatively, download and install the CLI with a few commands:

# wget https://github.com/openshift/origin/releases/download/v3.11.0/openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz
# gzip -d openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz
# tar -xvf openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar
# cd openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit
# cp kubectl oc /usr/local/bin/

The IBM Cloud CLI

The IBM Cloud CLI (ibmcloud) (at the latest version). We’ll be using this to talk to our IBM Container Registry. It can be installed with a single command.

curl -sL https://ibm.biz/idt-installer | bash

A yum update

At this point it would be a good idea to do a yum update.

yum update

Docker runtime

We’ll need the Docker runtime at v1.13.1, we’ll need to update our yum conifg to install older versions of Docker. We followed this guide and summarized the main steps in the code block below.

rpm --import "https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e"
yum install -y yum-utils
yum-config-manager --add-repo https://packages.docker.com/1.13/yum/repo/main/centos/7
yum install docker-engine-1.13.1.cs1-1.el7.centos
systemctl enable docker.service
systemctl start docker.service
docker info

What we used

Here’s a quick snapshot of tools we used and their various versions.

[root@aida-vm-raft ~]# ibmcloud --version
ibmcloud version 0.18.1+09d36ed-2019-08-19T08:23:11+00:00
[root@aida-vm-raft ~]# docker --version
Docker version 1.13.1-cs1, build 8709b81
[root@aida-vm-raft ~]# oc version
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://c100-e.us-south.containers.cloud.ibm.com:31921
openshift v3.11.135
kubernetes v1.11.0+d4cacc0

Okay, now that we’re done with our pre-requisites, let’s get to installing IBM Cloud Pak for Data.

Estimated time

Completing this tutorial should take about 3 – 4 hours.

Step 1: Installing IBM Cloud Pak for Data

In this section we’ll talk about getting the install images, configuring the tools we installed, and running the installer.

Getting IBM Cloud Pak for Data install files

Depending on the version of IBM Cloud Pak for Data you are able to download, it should come with various .bin (binary) files. Here are the files that came in our eAssembly which was downloaded to our local machine. These files were only a few MB in size.

stevemar$ ls
db2whse_for_icp4d_x86_V3.7.1.bin      IBMDb2zOSConnector_V2.1.0.1.bin       ICP4DATA_Conf_Map_Gen_BPS_1.0.bin
ICP4Data_streams_V5.1.0.1.bin         ICP4DATA_V2.1.0.1_AnalyticsEnv.bin    ICP4DATA_V2.1.0.1_DV.bin
ICP4DATA_V2.1.0.1_WML.bin             ICP4D_ENT_INC_ICP_x86_V2.1.0.1.bin    ICP4D_ENT_Req_ICP_x86_V2.1.0.1.bin
WKC_for_ICP4D_V2.0.bin

The table below provides a brief description for each file name that was in our eAssemnbly. For this section of the guide we’re only interested in ICP4D_ENT_INC_ICP_x86_V2.1.0.1.bin. We’ll explore the other files in the section labelled Installing Cloud Pak for Data (add-ons).

File Description
db2whse_for_icp4d_x86_V3.7.1.bin Db2 Warehouse add-on
IBMDb2zOSConnector_V2.1.0.1.bin Db2 Connector for z/OS add-on
ICP4DATA_Conf_Map_Gen_BPS_1.0.bin Config Map Generator add-on
ICP4Data_streams_V5.1.0.1.bin Streams add-on
ICP4DATA_V2.1.0.1_AnalyticsEnv.bin Additional notebook environments add-on
ICP4DATA_V2.1.0.1_DV.bin Data Virtualization add-on
ICP4DATA_V2.1.0.1_WML.bin Watson Machine Learning add-on
ICP4D_ENT_INC_ICP_x86_V2.1.0.1.bin Base Cloud Pak for Data
ICP4D_ENT_Req_ICP_x86_V2.1.0.1.bin Base Cloud Pak for Data, requires ICP already exists
WKC_for_ICP4D_V2.0.bin Watson Knowlege Catalog add-on

After the files are on your local device move them to a Linux box. In our case we moved them to our VM using sftp.

stevemar$ sftp root@ip.of.your.vm
Connected to root@ip.of.your.vm
sftp> put *.bin

Ensure the files are executable.

[root@aida-vm-raft ~]# chmod +x *.bin

Before we run these files we need to configure the underlying tools we installed earlier. Let’s get to that.

Configure OpenShift, IBM Cloud, and Helm CLIs

For the install scripts to work we need to configure OpenShift CLI to talk to our cluster, IBM Cloud to store our containers, and Helm to manage the deployments on OpenShift.

Configure OpenShift CLI

Copy the oc login command by launching the OpenShift console and selecting the Copy Login Command from the user profile menu.

OpenShift Launch Console Copy Login Command
openshift-cluster-launch-console oc-login

Run the copied oc login command in a terminal:

$ oc login https://c100-e.us-south.containers.cloud.ibm.com:30258 --token=some_token_from_the_openshift_console
Logged into "https://c100-e.us-south.containers.cloud.ibm.com:30258" as "IAM#stevemar@ca.ibm.com" using the token provided.

You have access to the following projects and can switch between them with 'oc project <projectname>':

* default
     ibm-cert-store
     ibm-system
     kube-proxy-and-dns
     kube-public
     kube-service-catalog
     kube-system
     openshift
     openshift-ansible-service-broker
     openshift-console
     openshift-infra
     openshift-monitoring
     openshift-node
     openshift-template-service-broker
     openshift-web-console

Using project "default".

Try running oc gets pods to ensure everything is working as expected.

$ oc get pods
NAME                                READY     STATUS    RESTARTS   AGE
docker-registry-55c45555f8-7nwgn    1/1       Running   0          2h
docker-registry-55c45555f8-wsxgf    1/1       Running   0          2h
registry-console-584bc4cdb5-k6fp4   1/1       Running   0          1h
router-64d5df8b-mgkvr               1/1       Running   0          2h
router-64d5df8b-n6z76               1/1       Running   0          2h
$

Configure the Helm CLI

Helm is used to manage deployments, we’ll need to run helm init but with the --client-only flag. This will populate the ~/.helm so we can drop in our certificates.

[root@aida-vm-raft ~]# helm init --client-only
Creating /root/.helm
Creating /root/.helm/repository
Creating /root/.helm/repository/cache
Creating /root/.helm/repository/local
Creating /root/.helm/plugins
Creating /root/.helm/starters
Creating /root/.helm/cache/archive
Creating /root/.helm/repository/repositories.yaml
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com
Adding local repo with URL: http://127.0.0.1:8879/charts
$HELM_HOME has been configured at /root/.helm.
Not installing Tiller due to 'client-only' flag having been set

The next step is to configure your Helm certs. We followed the instructions from the Helm Documentation to generate ca.pem, cert.pem, and key.pem, which were placed under ~/.helm. Here’s what our ~/.helm looked like.

[root@aida-vm-raft ~]# ls ~/.helm/
cache  ca.pem  cert.pem  key.pem  plugins  repository  starters

Next we’ll want to re-run our helm init command, but we’ll pass in our the newly created certificates, too.

[root@aida-vm-raft ~]# helm init --debug --tiller-tls --tiller-tls-cert cert.pem --tiller-tls-key key.pem --tiller-tls-verify --tls-ca-cert ca.pem
$HELM_HOME has been configured at /root/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Assuming this works, you’ll notice that the helm list command hangs and helm list --tls should return.

[root@aida-vm-raft ~]# helm list --debug
[debug] Created tunnel using local port: '46737'

[debug] SERVER: "127.0.0.1:46737"

^C
[root@aida-vm-raft ~]# helm list --tls --debug
[debug] Created tunnel using local port: '37671'

[debug] SERVER: "127.0.0.1:37671"

[debug] Host="", Key="/root/.helm/key.pem", Cert="/root/.helm/cert.pem", CA="/root/.helm/ca.pem"

Configure the IBM Cloud CLI

We’ll be using the IBM Cloud Container Registry of IBM Cloud, so we’ll need to login with the CLI using ibm cloud login. For our example, we pass in the --sso flag, your scenarion may be different.

[root@aida-vm-raft ~]# ibmcloud login --sso
API endpoint: https://cloud.ibm.com

Get One Time Code from https://identity-3.us-south.iam.cloud.ibm.com/identity/passcode to proceed.
Open the URL in the default browser? [Y/n] > y
One Time Code >
Authenticating...
OK

API endpoint:      https://cloud.ibm.com
Region:            us-south
User:              stevemar@ca.ibm.com
Account:           IBM
Resource group:    No resource group targeted, use 'ibmcloud target -g RESOURCE_GROUP'

Set a default target group if you don’t have one:

[root@aida-vm-raft ~]# ibmcloud target -g default
Targeted resource group default

And finally log into the IBM Container Registry by running ibmcloud cr login.

[root@aida-vm-raft ~]# ibmcloud cr login
Logging in to 'us.icr.io'...
Logged in to 'us.icr.io'.
OK

Configure the IBM Container Registry

Ensure you have at least one container registry namespace you can use. In our example we have one called aida. If one does not exist, create one with ibmcloud cr namespace-add.

[root@aida-vm-raft ~]# ibmcloud cr namespace-list
Listing namespaces for account 'IBM' in registry 'us.icr.io'...

Namespace
aida

Now we want to set up our Docker runtime to talk to the new namespace and container registry. We’ll need to supply an IBM Cloud API key for this. Ensure you can see the Login Succeeded message.

[root@aida-vm-raft ~]# docker login us.icr.io/aida -u iamapikey -p apikey
Login Succeeded

Note that if you do not have an API key you can create one by using the ibmcloud iam api-key-create command.

[root@aida-vm-raft ~]# ibmcloud iam api-key-create stevemar-key -d "stevemar key" --file key.json

$ cat key.json
{
    "name": "stevemar-key",
    "description": "stevemar key",
    "apikey": "some-api-key",
    "createdAt": "2019-08-21T20:46+0000",
    "locked": false,
    "uuid": "some-uuid"
}

Configure OpenShift namespace and service accounts

The Cloud Pak for Data installer assumes an OpenShift namespace called zen can be used, or it’ll create one. Let’s create it, set it to be our project context.

[root@aida-vm-raft ~]# oc create ns zen
[root@aida-vm-raft ~]# oc project zen

Within our new namespace we’ll need two new service accounts: 1) tiller, which will be used by Helm, and 2) icpd-anyuid-sa which is assumed to be available by the installer.

[root@aida-vm-raft ~]# oc create sa -n zen tiller
[root@aida-vm-raft ~]# oc create sa -n zen icpd-anyuid-sa

Still within the zen namespace we want to give the deployer service account to the system:deployer role too.

[root@aida-vm-raft ~]# oc -n zen adm policy add-role-to-user -z deployer system:deployer

Next we need to create Docker registry secrets with the oc create secret command, this will allow OpenShift to pull images from the the docker namespace we created earlier. We’ll have to link these secrets to the service accounts too. You can read more about Docker registry secrets in the Kubernetes Documentation

[root@aida-vm-raft ~]# oc create secret docker-registry icp4d-anyuid-docker-pull -n zen --docker-server=us.icr.io/aida --docker-username=iamapikey --docker-password=some-api-key
[root@aida-vm-raft ~]# oc secrets -n zen link icpd-anyuid-sa icp4d-anyuid-docker-pull --for=pull
[root@aida-vm-raft ~]# oc secrets -n zen link default icp4d-anyuid-docker-pull --for=pull

Next, create a Security Context Constraint.

[root@aida-vm-raft ~]# oc create -f - << EOF
> allowHostDirVolumePlugin: false
> allowHostIPC: true
> allowHostNetwork: false
> allowHostPID: false
> allowHostPorts: false
> allowPrivilegedContainer: false
> allowedCapabilities:
> - '*'
> allowedFlexVolumes: null
> apiVersion: v1
> defaultAddCapabilities: null
> fsGroup:
>   type: RunAsAny
> groups:
> - cluster-admins
> kind: SecurityContextConstraints
> metadata:
>   annotations:
>     kubernetes.io/description: zenuid provides all features of the restricted SCC but allows users to run with any UID and any GID.
>   name: zenuid
> priority: 10
> readOnlyRootFilesystem: false
> requiredDropCapabilities: null
> runAsUser:
>   type: RunAsAny
> seLinuxContext:
>   type: MustRunAs
> supplementalGroups:
>   type: RunAsAny
> users: []
> volumes:
> - configMap
> - downwardAPI
> - emptyDir
> - persistentVolumeClaim
> - projected
> - secret
> EOF
securitycontextconstraints.security.openshift.io "zenuid" already exists

And apply that Security Context to some of some accounts within our namespace.

[root@aida-vm-raft ~]# oc adm policy add-scc-to-user zenuid system:serviceaccount:zen:default
scc "zenuid" added to: ["system:serviceaccount:zen:default"]
[root@aida-vm-raft ~]# oc adm policy add-scc-to-user anyuid system:serviceaccount:zen:icpd-anyuid-sa
scc "anyuid" added to: ["system:serviceaccount:zen:icpd-anyuid-sa"]

[root@aida-vm-raft ~]# kubectl create clusterrolebinding admin-on-zen --clusterrole=admin --user=system:serviceaccount:zen:default -n zen

[root@aida-vm-raft ~]# oc adm policy add-cluster-role-to-user cluster-admin "system:serviceaccount:zen:icpd-anyuid-sa"
cluster role "cluster-admin" added: "system:serviceaccount:zen:icpd-anyuid-sa"
[root@aida-vm-raft ~]# oc adm policy add-cluster-role-to-user cluster-admin "system:serviceaccount:zen:default"
cluster role "cluster-admin" added: "system:serviceaccount:zen:default"

Great, now we can start using the Cloud Pak for Data install tools.

Run the IBM Cloud Pak for Data installer

This part of the tutorial is broken up into three sections:

1) Downloading official images with the install tools 2) Unzipping the downloads 3) Deploying to OpenShift

Launch the binary to download the main IBM Cloud Pak for Data images and tooling

On your Linux box, find the binaries that were uploaded and run the base installer, ./ICP4D_ENT_INC_ICP_x86_V2.1.0.1.bin, this download a tar file (40 GB!) to /ibm. This step can take some time – go ahead and grab a coffee.

[root@aida-vm-raft ~]# ./ICP4D_ENT_INC_ICP_x86_V2.1.0.1.bin
Verifying archive integrity...  100%   All good.
Uncompressing ICP4D_EE  100%

***************************************************************************************************************
*** IBM Cloud Private for Data Enterprise Edition V2.1.0.1 - Includes ICP (Default Install Image) - Linux x86 ***
***************************************************************************************************************
Ready to download 'IBM Cloud Private for Data Enterprise Edition V2.1.0.1 - Includes ICP (Default Install Image) - Linux x86'? (y/n) : y

************************************************************************
 Executing BIN File
************************************************************************
The /ibm/icp4d directory exists; starting the download.

Downloading the tarball to /ibm/icp4d/icp4d_ee_2.1.0.1_x86_64.tar
Downloading...
Saving to: 'icp4d_ee_2.1.0.1_x86_64.tar'

100% [==============================================================================] 44,934,594,560

Download completed.

BIN File ended cleanly

Unzip and run the IBM Cloud Pak for Data installer

Once the tar file has finished downloading untar the file and again run chmod on the file installer.x86_64.490. Note that a /ibm/icpd directory should have been created automatically in the previous step.

[root@aida-vm-raft icp4d]# pwd
/ibm/icp4d
[root@aida-vm-raft icp4d]# ls
icp4d_ee_2.1.0.1_x86_64.tar
[root@aida-vm-raft icp4d]# tar -xvf icp4d_ee_2.1.0.1_x86_64.tar
installer.x86_64.490
modules/
modules/ibm-iisee-zen-1.0.0.tar
modules/ibm-dde-0.13.19-x86_64.tar
[root@aida-vm-raft icp4d]# ls
icp4d_ee_2.1.0.1_x86_64.tar  installer.x86_64.490  modules
[root@aida-vm-raft icp4d]# chmod +x installer.x86_64.490

Note that two add-ons will be untarred to the modules folder, these will be included in Cloud Pak for Data’s base install, and are described in the table below.

File Description
ibm-dde-0.13.19-x86_64.tar Analytics Dashboard
ibm-iisee-zen-1.0.0.tar Unified Governance and Integration

Running the installer will bring up the following:

[root@aida-vm-raft icp4d]# ./installer.x86_64.490

The installer includes the module path '/ibm/icp4d/modules'. The following packages will be installed:

    ibm-dde-0.13.19-x86_64.tar
    ibm-iisee-zen-1.0.0.tar

Press Enter to confirm and continue the installation.

Thank you for using IBM Cloud Pak for Data

Installer is preparing files for the initial setup, this will take several minutes ......................

Initial setup started, log file will be located at /ibm/icp4d/InstallPackage/tmp/wdp.2019_08_22__15_29_20.log
Extracting package ibm-dde-0.13.19-x86_64.tar ...........
Extracting package ibm-iisee-zen-1.0.0.tar ..............
Removed symlink /etc/systemd/system/multi-user.target.wants/docker.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
Checking if the docker daemon is running
Cleaning up old docker images and containers if any exist
Loading the ansible docker image
Loading the web installer docker image
Running the ansible container
cd46d738112baf4e284342a653dff05115783e33af448b4156f4b6181a464242

The initial installation has completed successfully

A new folder was created in the path /ibm/icp4d/InstallPackage where we’ll now have a full suite of install tools at our disposal.

[root@aida-vm-raft ~]# cd /ibm/icp4d/InstallPackage/
[root@aida-vm-raft InstallPackage]# ls
addnode_package        DockerImg                              k8s                  setting.sh    wdp-min-rhel7-ppc64le.tar     wdp-repo-centos7-s390x.tar
attach.sh              DockerMount                            LICENSES             template      wdp-min-rhel7-s390x.tar       wdp-repo-centos7-x86_64.tar
base_modules           ibm-cloud-private-x86_64-3.1.2.tar.gz  platform_upgrade.sh  uninstall.sh  wdp-min-rhel7-x86_64.tar
components             icp-docker-18.09.2_x86_64.bin          run_installer.sh     utils         wdp-min-ubuntu-xenial.tar
deploy_on_existing.sh  install_docker.sh                      run_time_check.sh    utils.sh      wdp-repo-centos7-ppc64le.tar

Deploy IBM Cloud Pak for Data to OpenShift

From the /ibm/icp4d/InstallPackage/ folder we can call ./deploy_on_existing.sh to start deploying Cloud Pak for Data to our OpenShift cluster. It will push images to our IBM Container Registry and then use Helm to deploy those images in containers and pods to our OpenShift cluster.

The interactive install wizard will ask for a few specific values, here are what we used:

Key Value
Namespace zen
Port 31843
Cluster Docker image prefix us.icr.io/aida
External Docker image prefix us.icr.io/aida
Storage Class Name 14 (ibmc-file-retain-custom)
[root@aida-vm-raft InstallPackage]# ./deploy_on_existing.sh

Checking k8s authentication...
Kubernetes is authenticated
Checking Helm authentication...
Helm is authenticated
Inform the namespace to be used on the installation: zen
Namespace: zen
Please type (Y) to accept this value or (N) to set a different namespace: y

Inform the console port to be used on the installation: 31843
Console Port: 31843
Please type (Y) to accept this value or (N) to set a different console port: y
Cluster docker image prefix = The registry prefix of the docker image used by the cluster to pull the images
External docker image prefix = The registry prefix of the docker image used to push the images to. It will be the same as the above when installing from a cluster node.
Cluster docker image prefix: us.icr.io/aida
External docker image prefix (Press Enter to use the same value as above):
Docker Image Prefix Address: us.icr.io/aida
External Docker Image Prefix  Address: us.icr.io/aida
Please type (Y) to procede or (N) to select different registry addresses: y
Verifying the prefix via the docker push command...
Registry us.icr.io/aida push successful

Provide the storage information:
Storage Class Name:
 1) default        11) ibmc-file-custom
 2) ibmc-block-bronze       12) ibmc-file-gold
 3) ibmc-block-custom       13) ibmc-file-retain-bronze
 4) ibmc-block-gold       14) ibmc-file-retain-custom
 5) ibmc-block-retain-bronze  15) ibmc-file-retain-gold
 6) ibmc-block-retain-custom  16) ibmc-file-retain-silver
 7) ibmc-block-retain-gold    17) ibmc-file-silver
 8) ibmc-block-retain-silver  18) NFS
 9) ibmc-block-silver       19) No dynamic provisioning
10) ibmc-file-bronze
#? 14
Storage Class Name: ibmc-file-retain-custom
Please type (Y) to accept this value or (N) to select a different storage class: y

The following environments variables will be used during the installation:
-----------------------------------------------------------------------------
namespace:                       zen
Console Port:                    31843
clusterDockerImagePrefix:        us.icr.io/aida
externalDockerImagePrefix:       us.icr.io/aida
useDynamicProvisioning:          true
storageClassName:                ibmc-file-retain-custom
-----------------------------------------------------------------------------
If these values are not correct, type N to go back and change it.
Please type (Y) to proceed or (N) to exit the installation: y
Docker version found: 1.13.1-cs1
Docker config file found: /root/.docker/config.json
Kubernete version found: Server Version: v1.11.0+d4cacc0
Kubernete config file found: /root/.kube/config
kubectl is working
Openshift binary found: oc v3.11.0+0cbc58b
Load and push all modules images ...
Load and push 0005-boot images
Loading images
/ibm/icp4d/InstallPackage/components/../base_modules/0005-boot/images
Loaded Images [==============================================================================] 16s (2/2) done
Pushed Images [==============================================================================] 19s (2/2) done
Load and push 0010-infra images
Loading images
/ibm/icp4d/InstallPackage/components/../base_modules/0010-infra/images
Loaded Images [==============================================================================] 31s (5/5) done
Pushed Images [==============================================================================] 33s (5/5) done
Load and push 0015-setup images
Loading images
/ibm/icp4d/InstallPackage/components/../base_modules/0015-setup/images
Loaded Images [==============================================================================] 11s (1/1) done
Pushed Images [==============================================================================] 13s (1/1) done
Load and push 0020-core images
Loading images
/ibm/icp4d/InstallPackage/components/../base_modules/0020-core/images
Loaded Images [==============================================================================] 24s (10/10) done
Pushed Images [==============================================================================] 26s (10/10) done
Load and push 0030-admindash images
Loading images
/ibm/icp4d/InstallPackage/components/../base_modules/0030-admindash/images
Loaded Images [==============================================================================] 12s (3/3) done
Pushed Images [===================================================>--------------------------] 14s (2/3) 67 %
Load and push 0040-dsx-base images
Loading images
/ibm/icp4d/InstallPackage/components/../base_modules/0040-dsx-base/images
Loaded Images [==============================================================================] 31s (10/10) done
Pushed Images [==============================================================================] 35s (10/10) done
Load and push 0050-jupyter-py36 images
Loading images
/ibm/icp4d/InstallPackage/components/../base_modules/0050-jupyter-py36/images
Loaded Images [==============================================================================] 2m18s (1/1) done
Pushed Images [==============================================================================] 2m19s (1/1) done
Load and push daas images
Loading images
/ibm/icp4d/InstallPackage/components/../modules/daas/images
Loaded Images [==============================================================================] 26s (4/4) done
Pushed Images [==============================================================================] 29s (4/4) done
Load and push ibm-iisee-zen:1.0.0 images
Loading images
/ibm/icp4d/InstallPackage/components/../modules/ibm-iisee-zen:1.0.0/images
Loaded Images [==============================================================================] 4m17s (35/35) done
Pushed Images [==============================================================================] 4m19s (35/35) done
Creating configmap install-info for the namespace zen
configmap/install-info created
Installing base module 0005-boot...
secret/sa-zen created
kubectl patch sa default -n zen -p '{"imagePullSecrets":[{"name":"sa-zen"}]}'
serviceaccount/default patched
Starting the installation ...
Package  Release zen-0005-boot installed.
Pods:         [------------------------------------------------------------------------------] 10m23s (0/1) 0 %
Pods:         [------------------------------------------------------------------------------] 10m24s (0/1) 0 %
Pods:         [------------------------------------------------------------------------------] 10m24s (0/1) 0 %
Pods:         [------------------------------------------------------------------------------] 10m24s (0/1) 0 %
Pods:         [------------------------------------------------------------------------------] 10m32s (0/1) 0 %
Pods:         [------------------------------------------------------------------------------] 10m34s (0/1) 0 %
Pods:         [==============================================================================] 20m54s (1/1) done
PVCs:         [==============================================================================] 2m1s (1/1) done
Deployments:  [==============================================================================] 20m54s (1/1) done
The deploy script finished successfully
Installing base module 0010-infra...
error: server took too long to respond with version information.
Starting the installation ...
Package  Release zen-0010-infra installed.
Pods:         [==============================================================================] 6m45s (11/11) done
PVCs:         [==============================================================================] 4m13s (7/7) done
Deployments:  [==============================================================================] 6m44s (4/4) done
StatefulSets: [==============================================================================] 4m53s (1/1) done
Jobs:         [==============================================================================] 4m2s (2/2) done
The deploy script finished successfully
Installing base module 0015-setup...
Starting the installation ...
Package  Release zen-0015-setup100 installed.
Pods:         [==============================================================================] 1m31s (5/5) done
Deployments:  [==============================================================================] 1m31s (1/1) done
Jobs:         [==============================================================================] 40s (2/2) done
The deploy script finished successfully
Installing base module 0020-core...
Starting the installation ...
Package  Release zen-0020-core installed.
Pods:         [==============================================================================] 3m17s (18/18) done
Deployments:  [==============================================================================] 3m17s (9/9) done
Jobs:         [==============================================================================] 2m6s (2/2) done
The deploy script finished successfully
Installing base module 0040-dsx-base...
Starting the installation ...
Package  Release zen-0040-dsx-base installed.
Pods:         [==============================================================================] 1m47s (13/13) done
Deployments:  [==============================================================================] 1m51s (6/6) done
Jobs:         [==============================================================================] 0s (2/2) done
The deploy script finished successfully
Installing base module 0050-jupyter-py36...
Starting the installation ...
Package  Release zen-0050-jupyter-py36 installed.
Pods:         [==============================================================================] 7m31s (7/7) done
Deployments:  [==============================================================================] 7m34s (4/4) done
Jobs:         [==============================================================================] 6m23s (1/1) done
The deploy script finished successfully
Installing module daas...
Starting the installation ...
Package  Release zen-cognos-dde installed.
Pods:         [==============================================================================] 5m24s (3/3) done
PVCs:         [==============================================================================] 1m41s (2/2) done
Deployments:  [==============================================================================] 5m23s (3/3) done
service/zendaasproxy exposed
deployment.extensions/dsx-core patched
The deploy script finished successfully
Installing module ibm-iisee-zen:1.0.0...
Starting the installation ...
Package  Release zen-ibm-iisee-zen100 installed.
Pods:         [==========================================================================>---] 2m11s (29/30) 97 %
PVCs:         [==============================================================================] 0s (7/7) done
Deployments:  [=========================================================================>----] 2m11s (19/20) 95 %
StatefulSets: [==============================================================================] 0s (11/11) done
Jobs:         [==============================================================================] 0s (1/1) done

If all goes well, then all Pods, Persistent Volume Claims, Deployments, Stateful Sets, and Jobs will be successful. Check your OpenShift cluster periodically to see if any pods are stuck or in an error state.

Gotchas

Watch out for the following issues.

The Solr, Cassandra, and Kafa pods are failing

We ran into issues where the pods: solr-data-solr-0, kafka-data-kafka-0, and cassandra-data-cassandra-0 were failing. We resolved this issue by changing the storage class from ibmc-file-retain-custom to ibmc-block-retain-custom for those specific pods. Here’s how we did it:

  1. Remove the link from the volume claim to the running pod:

    kubectl patch pvc solr-data-solr-0 -p '{"metadata":{"finalizers": []}}' --type=merge
    
  2. Delete the volume claim.

    oc delete pvc solr-data-solr-0
    
  3. Repeat these steps for all three affected services:

  4. Back in the OpenShift console, go to the Storage tab and create three new persistent volume claims with the following settings:

    | Name | Storage Class | Size | Access | | —- | ————- | —- | —— | | cassandra-data-cassandra-0 | ibmc-block-retain-custom | 90Gi | ReadWriteOnce | | kafka-data-kafka-0 | ibmc-block-retain-custom | 20Gi | ReadWriteOnce | | solr-data-solr-0 | ibmc-block-retain-custom | 30Gi | ReadWriteOnce |

Redeploying a specific chart

At one point the ibm-iisee-zen package had failed to deploy and timed out. Rather than calling deploy_on_existing.sh and starting from the beginning you can simply called ./deploy.sh and point to a specific folder or file.

[root@aida-vm-raft InstallPackage]# ./deploy.sh  ../modules/ibm-iisee-zen\:1.0.0/

Create a route to reach the IBM Cloud Pak for Data console

The last step is to expose the Cloud Pak for Data console. This can be done via a Route. Admittedly, this step was surprising as the previous guide had created the route automatically. With this approach we have to create one ourselves, luckily it’s pretty easy.

  • Go to Applications > Routes and choose to create a new one

  • Give it the name cp4data-console, bind it to the ibm-nginx-svc service, and choose to secure the route with the Passthrough option for TLS Termination.

    create-route-options

  • The route should be created quickly and a link provided in the overview page.

    route-overview

  • Click the route to launch Cloud Pak for Data! By default the username and password are admin and password.

    icp4d-login

Congratulations, you have installed IBM Cloud Pak for Data.

Step 2: Installing IBM Cloud Pak for Data (add-ons)

Now that we’ve installed the base version of Cloud Pak for Data it’s time to install a few add-ons. Since we went through all the set up earlier we should be able to install a few powerful add-ons with relatively minimal effort. For this guide we’ll install the Watson Machine Learning add-on, and the Data Refinery add-on.

Installing Watson Machine Learning

Watson Machine Learning build and deploys machine learning models which can be accessed via a RESTful API call.

Launch the binary to download the main Watson Machine Learning image

To begin, we execute the ICP4DATA_V2.1.0.1_WML.bin binary file. That will begin downloading a tar file to /ibm/modules.

[root@aida-vm-raft ~]# ./ICP4DATA_V2.1.0.1_WML.bin
Verifying archive integrity...  100%   All good.
Uncompressing WML  100%

****************************************************************************
******** IBM Cloud Private for Data  V2.1.0.1- Watson Machine Learning  ********
****************************************************************************
Ready to download 'IBM Cloud Private for Data  V2.1.0.1- Watson Machine Learning'? (y/n) : y

************************************************************************
 Executing BIN File
************************************************************************
Directory exists, start downloading…

Downloading the tarball to /ibm/modules/watson_machine_learning.tar
Downloading...
Download completed.

BIN File ended cleanly

Deploy Watson Machine Learning to OpenShift

Once the tar file is finished downloading we can run deploy.sh and pass in the new tar file. A familiar interactive install wizard will ask for a specific values, here are what we used:

Key Value
Namespace zen
Port 31843
Cluster Docker image prefix us.icr.io/aida
External Docker image prefix us.icr.io/aida
Storage Class Name 14 (ibmc-file-retain-custom)
[root@aida-vm-raft ~]# cd /ibm/icp4d/InstallPackage/components/
[root@aida-vm-raft components]# ./deploy.sh /ibm/modules/watson_machine_learning.tar
Target is a tar file. Extracting right now ...................................
Checking k8s authentication...
Kubernetes is authenticated
Checking Helm authentication...
Helm is authenticated
Namespace: zen
Please type (Y) to accept this value or (N) to set a different namespace: y

Docker Image Prefix Address: us.icr.io/aida
External Docker Image Prefix  Address: us.icr.io/aida
Please type (Y) to procede or (N) to select different registry addresses: y
Verifying the prefix via the docker push command...
e17133b79956: Loading layer [==================================================>] 744.4 kB/744.4 kB
Loaded image: pause:3.1
Registry us.icr.io/aida push successful

Provide the storage information:
Storage Class Name: ibmc-block-retain-custom
Please type (Y) to accept this value or (N) to select a different storage class: y

The following environments variables will be used during the installation:
-----------------------------------------------------------------------------
namespace:                       zen
clusterDockerImagePrefix:        us.icr.io/aida
externalDockerImagePrefix:       us.icr.io/aida
useDynamicProvisioning:          true
storageClassName:                ibmc-block-retain-custom
-----------------------------------------------------------------------------
If these values are not correct, type N to go back and change it.
Please type (Y) to proceed or (N) to exit the installation: y
Docker version found: 1.13.1-cs1
Docker config file found: /root/.docker/config.json
Kubernete version found: Server Version: v1.11.0+d4cacc0
Kubernete config file found: /root/.kube/config
kubectl is working
HELM_HOME set to: /root/.helm
Tiller pod found.
Loading images
/ibm/icp4d/InstallPackage/modules/wml//images
Loaded Images [==============================================================================] 16m51s (17/17) done
Pushed Images [==============================================================================] 23m37s (17/17) done
Deploying the chart as name wml
Running command: /ibm/icp4d/InstallPackage/components/dpctl --config /ibm/icp4d/InstallPackage/components/install.yaml helm rewriteChart -i /ibm/icp4d/InstallPackage/modules/wml//charts/*.tgz -o /ibm/icp4d/InstallPackage/modules/wml//charts/updated_wml.tgz
Running command: /ibm/icp4d/InstallPackage/components/dpctl --config /ibm/icp4d/InstallPackage/components/install.yaml helm installChart -f /ibm/icp4d/InstallPackage/components/global.yaml   -r zen-wml -n zen -c /ibm/icp4d/InstallPackage/modules/wml//charts/updated_wml.tgz
Starting the installation ...
Package  Release zen-wml installed.
Running command: /ibm/icp4d/InstallPackage/components/dpctl --config /ibm/icp4d/InstallPackage/components/install.yaml helm waitChartReady -r zen-wml -t 60
Pods:         [==============================================================================] 58m7s (13/13) done
PVCs:         [==============================================================================] 53m39s (1/1) done
Deployments:  [==============================================================================] 58m6s (5/5) done
StatefulSets: [==============================================================================] 6m24s (2/2) done
The deploy script finished successfully

If all goes well, then all Pods, Persistent Volume Claims, Deployments, Stateful Sets, and Jobs will be successful. Check your OpenShift cluster periodically to see if any pods are stuck or in an error state.

Verify Watson Machine Learning is available

The fastest way to check if Watson Machine Learning is enabled is by going to the catalog in the upper-right hand corner and looking for the Watson Machine Learning tile.

wml-enabled

Once a model is created the model can be viewed by looking at a project’s assets. Scoring data against the model is also available through the web console.

Model overview Model scoring

wml-overview | wml-scoring

Installing Data Refinery

Data Refinery allows users to analyze local data sets, so you can refine the data by cleansing and shaping it.

NOTE: Data Refinery is a premium add-on and availability depends on the Cloud Pak for Data license.

Launch the binary to download the main Data Refinery image

To begin, we execute the WSPre_Data_Refinery_V1.2.1.1.bin binary file. That will begin downloading a tar file to /ibm/modules.

[root@aida-vm-raft ~]# ./WSPre_Data_Refinery_V1.2.1.1.bin

Deploy Data Refinery to OpenShift

Once the tar file is finished downloading we can run deploy.sh and pass in the new tar file. A familiar interactive install wizard will ask for a specific values, here are what we used:

Key Value
Namespace zen
Port 31843
Cluster Docker image prefix us.icr.io/aida
External Docker image prefix us.icr.io/aida
Storage Class Name 14 (ibmc-file-retain-custom)
[root@aida-vm-raft ibm]# cd icp4d/InstallPackage/components/
[root@aida-vm-raft components]# ./deploy.sh /ibm/modules/data_refinery.tar
Target is a tar file. Extracting right now ...
Checking k8s authentication...
Kubernetes is authenticated
Checking Helm authentication...
Helm is authenticated
Namespace: zen
Please type (Y) to accept this value or (N) to set a different namespace: y

Docker Image Prefix Address: us.icr.io/aida
External Docker Image Prefix  Address: us.icr.io/aida
Please type (Y) to procede or (N) to select different registry addresses: y
Verifying the prefix via the docker push command...
Registry us.icr.io/aida push successfull

Provide the storage information:
Storage Class Name: ibmc-file-retain-custom
Please type (Y) to accept this value or (N) to select a different storage class: y

The following environments variables will be used during the installation:
-----------------------------------------------------------------------------
namespace:                       zen
clusterDockerImagePrefix:        us.icr.io/aida
externalDockerImagePrefix:       us.icr.io/aida
useDynamicProvisioning:          true
storageClassName:                ibmc-file-retain-custom
-----------------------------------------------------------------------------
If these values are not correct, type N to go back and change it.
Please type (Y) to proceed or (N) to exit the installation: y
Docker version found: 1.13.1-cs1
Docker config file found: /root/.docker/config.json
Kuberneteis version found: Server Version: v1.11.0+d4cacc0
Kubernetes config file found: /root/.kube/config
kubectl is working
HELM_HOME set to: /root/.helm
Tiller pod found.
Loading images
/ibm/icp4d/InstallPackage/modules/0190-shaper//images
Loaded Images [==============================================================================] 1m24s (1/1) done
Pushed Images [==============================================================================] 3m1s (1/1) done
Deploying the chart as name 0190-shaper
Running command: /ibm/icp4d/InstallPackage/components/dpctl --config /ibm/icp4d/InstallPackage/components/install.yaml helm rewriteChart -i /ibm/icp4d/InstallPackage/modules/0190-shaper//charts/*.tgz -o /ibm/icp4d/InstallPackage/modules/0190-shaper//charts/updated_0190-shaper.tgz
Running command: /ibm/icp4d/InstallPackage/components/dpctl --config /ibm/icp4d/InstallPackage/components/install.yaml helm installChart -f /ibm/icp4d/InstallPackage/components/global.yaml -f /ibm/icp4d/InstallPackage/modules/0190-shaper//icp4d-override.yaml  -r zen-0190-shaper -n zen -c /ibm/icp4d/InstallPackage/modules/0190-shaper//charts/updated_0190-shaper.tgz
Starting the installation ...
Package  Release zen-0190-shaper installed.
Running command: /ibm/icp4d/InstallPackage/components/dpctl --config /ibm/icp4d/InstallPackage/components/install.yaml helm waitChartReady -r zen-0190-shaper -t 60
Pods:         [------------------------------------------------------------------------------] 1m38s (0/3) 0 %
Jobs:         [------------------------------------------------------------------------------] 1m37s (0/1) 0 %

If all goes well, then all Pods, Persistent Volume Claims, Deployments, Stateful Sets, and Jobs will be successful. Check your OpenShift cluster periodically to see if any pods are stuck or in an error state.

Verify Data Refinery is available

Aside from looking in the catalog, the quickest way to ensure Data Refinery is available is to click on the context menu for a data set and select the “Explore and Refine” option. Scoring data against the model is also available through the web console.

Launch Data Refinery Data Refinery Tooling

data-refinery-launch | data-refinery-overview

Gotchas (for installing add-ons)

Watch out for the following issues. Here’s what we learned.

Running out of space on our VM

Some of the pods were failing to deploy because we ran out of space on our Linux box. To resolve this we cleaned up any lingering Docker images with docker system prune. This freed up a bunch of space and got us past our issue.

docker system prune --all

Watson Machine Learning volume claim required ReadWriteMany access

We also ran into an issue where the the volume for Watson Machine Learning (wml-repo-pvc) required ReadWriteMany access, but the selected Block Storage class didn’t support that. Here was the error message:

ProvisioningFailed    52m (x3 over 53m)   ibm.io/ibmc-block_ibmcloud-block-storage-plugin-260f18665e1d  failed to provision volume with StorageClass "ibmc-block-retain-custom":
"ReadWriteMany" is an unsupported access mode. Block Storage supports only 'ReadWriteOnce' mode

We ended up unlocking the volume, deleting it, and re-creating it with the File Storage class.

[root@aida-vm-raft ibm]# kubectl patch pvc wml-repo-pvc -p '{"metadata":{"finalizers": []}}' --type=merge
persistentvolumeclaim/wml-repo-pvc patched
[root@aida-vm-raft ibm]# oc delete pvc wml-repo-pvc
persistentvolumeclaim "wml-repo-pvc" deleted

Back in the OpenShift console, go to the Storage tab and create a new volumes with the following settings:

name storage class size access
wml-repo-pvc ibmc-file-retain-custom 90Gi ReadWriteMany

To resume the deployment process run:

./deploy.sh /ibm/modules/watson_machine_learning.tar

Summary

Now that you’ve installed IBM Cloud Pak for Data on Red Hat OpenShift using a custom container registry, you can try out our IBM Cloud Pak for Data code pattern to get started on your AI journey.

Steve Martinelli
Scott D’Angelo